CVE-2016-7405 (from http://www.openwall.com/lists/oss-security/2016/09/07/8): jdavidlists reported an issue [1] with ADOdb 5.x, qstr() method, improperly quoting strings resulting in a potential SQL injection attack vector. This affects only PDO-based drivers, and only in the case where the query is built by inlining the quoted string, e.g. $strHack = 'xxxx\\\' OR 1 -- '; $sql = "SELECT * FROM employees WHERE name = " . $db->qstr( $strHack ); $rs = $db->getAll($strSQL); // dumps the whole table Note that it is not recommended to write SQL as per the above example, the code should be rewritten to use query parameters, like $strHack = 'xxxx\\\' OR 1 -- '; $sql = "SELECT * FROM employees WHERE name = ?" $rs = $db->getAll($strSQL, array($strHack)); Please let me know if a CVE is needed for this. Patch for the issue is available [2], and will be included in upcoming ADOdb v5.20.7 release. [1] https://github.com/ADOdb/ADOdb/issues/226 [2] https://github.com/ADOdb/ADOdb/commit/bd9eca9 CVE-2016-4855 (https://jvn.jp/en/jp/JVN48237713/): JVN#48237713 ADOdb vulnerable to cross-site scripting Overview ADOdb test script contains a cross-site scripting vulnerability. Products Affected ADOdb versions prior to 5.20.6 Description ADOdb is a database abstraction layer for PHP. The library's test script (test.php) contains a cross-site scripting (CWE-79) vulnerability. Impact An arbitrary script may be executed on the user's web browser. Solution Update the Software Update to the latest version according to the information provided by the developer. Apply a Workaround The developer recommends the following workaround: "The whole ./tests directory should be removed from client installations. It is only used for development purposes and not necessary for ADOdb operations."
Fixed version already in tree via https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=cf5ef14a19396a61ea2905aaf00851b9d51b17cd @ Maintainer(s): Can we stabilize =dev-php/adodb-5.20.9?
CVE-2016-7405 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7405): The qstr method in the PDO driver in the ADOdb Library for PHP before 5.x before 5.20.7 might allow remote attackers to conduct SQL injection attacks via vectors related to incorrect quoting.
(In reply to Thomas Deutschmann from comment #1) > > @ Maintainer(s): Can we stabilize =dev-php/adodb-5.20.9? It's probably OK.. I just noticed the CVEs in the changelog and bumped this, but I haven't updated to it on our servers yet. Let's start the process; I'll update to it myself, and come back and make noise if I notice any problems.
@ Arches, please test and mark stable: =dev-php/adodb-5.20.9
Stable on alpha.
amd64 stable
x86 stable
sparc stable
ppc stable
ia64 stable
ppc64 stable
Stable for HPPA.
jer cleaned up for me? I don't mind =P The vulnerable versions are gone.
New GLSA request filed.
This issue was resolved and addressed in GLSA 201701-59 at https://security.gentoo.org/glsa/201701-59 by GLSA coordinator Aaron Bauman (b-man).
